The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently issued its examination observations related to market participants’ cyber-security and operational resiliency practices. The SEC guidance comes the same week the National Security Agency (NSA) released its own guidance on mitigating cloud vulnerabilities.

The OCIE’s examinations observations report, published Monday, highlights approaches taken by market participants in the following areas: governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. “We felt it was critical to share these observations in order to allow organizations the opportunity to reflect on their own cyber-security practices,” said OCIE Director Peter Driscoll.

Moreover, the examinations report goes into granular detail, citing specific examples of cyber-security and operational resiliency practices and controls organizations have adopted to safeguard against threats and respond in the event of an incident.

Under data loss prevention, for example, the OCIE describes specific measures organizations have taken regarding vulnerability scanning, perimeter security capabilities, patch management, encryption and network segmentation, insider-threat monitoring, and more.

With insider-threat monitoring, specifically, the OCIE recommends creating an insider threat program to identify suspicious behaviors, including:

  • Escalating issues to senior leadership as appropriate;
  • Increasing the depth and frequency of testing of business systems and conducting penetration tests;
  • Creating rules to identify and block the transmission of sensitive data (e.g., account numbers, social security numbers, trade information, and source code) from leaving the organization; and
  • Tracking corrective actions in response to findings from testing and monitoring, material changes to business operations or technology, and any other significant events.

In another example, under mobile security, the OCIE recommends requiring the use of multi-factor authentication (MFA) for all internal and external users; taking steps to prevent printing, copying, pasting, or saving information to personally owned computers, smartphones, or tablets; and ensuring the ability to remotely clear data and content from a device that belongs to a former employee or from a lost device.

“In sharing these staff observations, we encourage market participants to review their practices, policies and procedures with respect to cyber-security and operational resiliency,” the OCIE said. “We believe that assessing your level of preparedness and implementing some or all of the above measures will make your organization more secure.”

NSA guidance

The OCIE’s report comes in the same week the NSA released its own guidance on mitigating cloud vulnerabilities. In that guidance, the NSA not only identifies cloud security components and cloud-threat actors, but also estimates the prevalence of each vulnerability and the sophistication level of each attack (high, moderate, or low). The NSA guidance further describes potential mitigation measures, many of which share commonalities with the SEC guidance—such as MFA, encryption, and patch management.

The NSA said the guidance is intended for use by both organizational leadership and technical staff. “Organizational leadership can refer to the Cloud Components section, Cloud Threat Actors section, and the Cloud Vulnerabilities and Mitigations overview to gain perspective on cloud security principles,” the NSA said. “Technical and security professionals should find the document helpful for addressing cloud security considerations during and after cloud service procurement.”